<br><br><div class="gmail_quote">On 3 February 2012 22:41, <span dir="ltr"><<a href="mailto:duane.larson@gmail.com">duane.larson@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What does your whole REGISTER route look like? Maybe you are missing something in there and it is allowing someone to register even thought the password is wrong.<div class="HOEnZb"><div class="h5"><br></div></div></blockquote>
<div><br></div><div><br></div><div>Definitely an issue with your script. Somewhere in there you are rejecting credentials but carrying on anyway...</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br><br><br>On , James Lamanna <<a href="mailto:jlamanna@gmail.com" target="_blank">jlamanna@gmail.com</a>> wrote:<br>
> Hi,<br>> <br>> I know the phones are not on public IPs.<br>> <br>> Here is a opensips log of an attacker successfully registering<br>> <br>> (hashes have been scrubbed)<br>> <br>> <br>> <br>
> <br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:tm:t_newtran: transaction on entrance=(nil)<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:core:parse_headers: flags=ffffffffffffffff<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:parse_headers: flags=78<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction<br>
> <br>> matching<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:tm:t_lookup_request: no transaction found<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id<br>> <br>> 0 entered<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:auth:check_nonce: comparing<br>
> <br>> [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and<br>> <br>> [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b]<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>
> DBG:db_mysql:has_stmt_ctx: ctx found for subscriber<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728)<br>
> <br>> MC=0x7ee3b0<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement<br>> <br>> run<br>> <br>
> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254;<br>> <br>> is_null=0<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in...<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1<br>
> <br>> columns in result<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:db_allocate_columns: allocate 28 bytes for result columns at<br>
> <br>> 0x7f55a8<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password]<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:db_allocate_rows: allocate 48 bytes for result rows and<br>
> <br>> values at 0x7fa080<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:db_mysql:db_mysql_str2val: converting STRING [........]<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:auth:check_response: our result = ....7f340e'<br>> <br>
> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:auth:check_response: their response = '.....7f340e",<br>> <br>> algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires:<br>
> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:auth:check_response: authorization is OK<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>
> DBG:auth:post_auth: nonce index= 3171<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:db_free_columns: freeing result columns at 0x7f55a8<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:core:db_free_rows: freeing 1 rows<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:db_free_row: freeing row values at 0x7fa090<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>
> <br>> DBG:core:db_free_rows: freeing rows at 0x7fa080<br>> <br>> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:<br>> <br>> DBG:core:db_free_result: freeing result set at 0x7f2200<br>> <br>
> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth<br>> <br>> attempt for xxxxx@yy.yy.yy.11 from 74.204.92.217 on port 5060 ret 1<br>> <br>> <br>> <br>> -- James<br>> <br>> <br>> <br>
> On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender <a href="mailto:os-list@dovid.net" target="_blank">os-list@dovid.net</a>> wrote:<br>> <br>> > James,<br>> <br>> ><br>> <br>> ><br>> <br>
> > We have found with out users that some of them put the phones on public<br>
> <br>> > IP’s. If the default password is not changed, no matter how hard the<br>> <br>> > password is they will get in. Also try using characters like “@:^#” in your<br>> <br>> > passwords.<br>
> <br>> ><br>> <br>> ><br>> <br>> > Regards,<br>> <br>> ><br>> <br>> ><br>> <br>> ><br>> <br>> > Dovid<br>> <br>> ><br>> <br>> ><br>> <br>
> ><br>> <br>> > ________________________________<br>> <br>> ><br>> <br>> > From: <a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a><br>
> <br>> > [mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>] On Behalf Of aws j<br>> <br>> > Sent: Thursday, February 02, 2012 06:08<br>> <br>
> > To: OpenSIPS users mailling list<br>> <br>> > Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks<br>> <br>> ><br>> <br>> ><br>> <br>> ><br>> <br>> > Dear Mr James<br>
> <br>> > Can you attached to me your suspect file to make VoIP forensic on it .<br>> <br>> > thanks<br>> <br>> > Aws<br>> <br>> > Msc VoIP security<br>> <br>> ><br>> <br>> > 2012/2/1 James Lamanna <a href="mailto:jlamanna@gmail.com" target="_blank">jlamanna@gmail.com</a>><br>
> <br>> ><br>> <br>> > Hi,<br>> <br>> > I've noticed lately that a server of mine is getting repeatedly hit by<br>> <br>> > an attacker trying to make international calls.<br>> <br>
> > The scary part is that the attacker seems to be able to register<br>> <br>> > correctly on different extensions, even though each extension has a<br>> <br>> > different, random password.<br>> <br>
> > I'm not sure how the attacker is getting the passwords or if there's a<br>> <br>> > man-in-the-middle attack going on, but I would like some suggestions<br>> <br>> > on how to increase the security of SIP authentication in opensips.<br>
> <br>> > I could enforce security through IP addresses, but I fear that will<br>> <br>> > become quite cumbersome.<br>> <br>> ><br>> <br>> > Thanks.<br>> <br>> ><br>> <br>
> > -- James<br>
> <br>> ><br>> <br>> > _______________________________________________<br>> <br>> > Users mailing list<br>> <br>> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <br>> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>> <br>> ><br>> <br>> ><br>> <br>> > _______________________________________________<br>
> <br>> > Users mailing list<br>> <br>> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>> <br>> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> <br>> ><br>> <br>> <br>> <br>> _______________________________________________<br>> <br>> Users mailing list<br>> <br>> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <br>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>> <br>></div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br>